CVE-2026-23064 - Vulnerability Details

- net/sched: act_ife: avoid possible NULL deref

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_ife: avoid possible NULL deref

tcf_ife_encode() must make sure ife_encode() does not return NULL.

syzbot reported:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166
CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101
tcf_ife_encode net/sched/act_ife.c:841 [inline]
tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877
tc_act include/net/tc_wrapper.h:130 [inline]
tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152
tcf_exts_exec include/net/pkt_cls.h:349 [inline]
mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42
tc_classify include/net/tc_wrapper.h:197 [inline]
__tcf_classify net/sched/cls_api.c:1764 [inline]
tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860
multiq_classify net/sched/sch_multiq.c:39 [inline]
multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66
dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147
__dev_xmit_skb net/core/dev.c:4262 [inline]
__dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798

Published: 2026-02-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference occurs in tcf_ife_encode within the Linux kernel traffic control code. The bug allows the kernel to trigger an OOPS and general protection fault, causing a kernel panic. Such a crash results in a denial of service, potentially leaving the system offline.

Affected Systems

The flaw affects the Linux kernel, specifically the 6.19 release candidates rc1 through rc6. Any system running these kernels and using the act_ife qdisc is vulnerable. The generic Linux kernel is also listed as affected.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity; the EPSS is below 1%, suggesting exploitation is unlikely but possible. The vulnerability would be exercised by forging a packet that exercises the act_ife qdisc, which could be triggered by a local user or by a remote network attacker with the ability to send crafted frames. Because no privilege escalation or data disclosure is reported, the primary risk is disruption through kernel crashes, and the kernel provides no mitigation such as restricting the affected code path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 4ef2c77851676b7ed106f0c47755bee9eeec9a40
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< dd9442aedbeae87c44cc64c0ee41abd296dc008b
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 1440d749fe49c8665da6f744323b1671d25a56a0
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 03710cebfc0bcfe247a9e04381e79ea33896e278
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 374915dfc932adf57712df3be010667fd1190e3c
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 6c75fed55080014545f262b7055081cec4768b20
`295a6e06d21e1f469c9f38b00125a13b60ad4e7c`	affected	< 27880b0b0d35ad1c98863d09788254e36f874968

Linux

affected

Version	Status	Constraints
`4.11`	affected	—
`0`	unaffected	< 4.11
`5.10.249`	unaffected	≤ 5.10.*
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.68`	unaffected	≤ 6.12.*
`6.18.8`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the commit that patches the act_ife null dereference; the patch is available in the provided kernel URLs.
Upgrade the kernel to a version that includes this fix, such as Linux kernel 6.19 rc7 or a later stable release.
Reboot the system to load the updated kernel and verify that the issue no longer occurs.

Generated by OpenCVE AI on April 17, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4475-1	linux security update
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278
https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0
https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968
https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c
https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40
https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20
https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b
https://lore.kernel.org/linux-cve-announce/2026020416-CVE-2026-23064-8eec@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23064
https://www.cve.org/CVERecord?id=CVE-2026-23064

History

Fri, 13 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0 https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40 https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020416-CVE-2026-23064-8eec@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23064 https://www.cve.org/CVERecord?id=CVE-2026-23064

Wed, 04 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798
Title		net/sched: act_ife: avoid possible NULL deref
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278 https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968 https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:07:46.329Z

Updated: 2026-02-09T08:38:03.299Z

Reserved: 2026-01-13T15:37:45.953Z

Link: CVE-2026-23064

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-04T17:16:17.093

Modified: 2026-03-13T21:28:09.897

Link: CVE-2026-23064

Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23064 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object